iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Florian Westphal 542fbda0f0 netfilter: nat: can't use dst_hold on noref dst 
The dst entry might already have a zero refcount, waiting on rcu list
to be free'd.  Using dst_hold() transitions its reference count to 1, and
next dst release will try to free it again -- resulting in a double free:

  WARNING: CPU: 1 PID: 0 at include/net/dst.h:239 nf_xfrm_me_harder+0xe7/0x130 [nf_nat]
  RIP: 0010:nf_xfrm_me_harder+0xe7/0x130 [nf_nat]
  Code: 48 8b 5c 24 60 65 48 33 1c 25 28 00 00 00 75 53 48 83 c4 68 5b 5d 41 5c c3 85 c0 74 0d 8d 48 01 f0 0f b1 0a 74 86 85 c0 75 f3 <0f> 0b e9 7b ff ff ff 29 c6 31 d2 b9 20 00 48 00 4c 89 e7 e8 31 27
  Call Trace:
  nf_nat_ipv4_out+0x78/0x90 [nf_nat_ipv4]
  nf_hook_slow+0x36/0xd0
  ip_output+0x9f/0xd0
  ip_forward+0x328/0x440
  ip_rcv+0x8a/0xb0

Use dst_hold_safe instead and bail out if we cannot take a reference.

Fixes: a4c2fd7f7891 ("net: remove DST_NOCACHE flag")
Reported-by: Martin Zaharinov <micron10@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-12-13 00:58:22 +01:00
..
6lowpan
6lowpan: iphc: reset mac_header after decompress to fix panic
2018-07-06 12:32:12 +02:00
9p
Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-11-03 10:35:52 -07:00
802
8021q
netpoll: allow cleanup to be synchronous
2018-10-19 17:01:43 -07:00
appletalk
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
atm
Revert "net: simplify sock_poll_wait"
2018-10-23 10:57:06 -07:00
ax25
ax25: remove blank line at EOF
2018-07-24 14:10:42 -07:00
batman-adv
batman-adv: Expand merged fragment buffer for full packet
2018-11-12 10:41:29 +01:00
bluetooth
Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-11-01 19:58:52 -07:00
bpf
bpf: add tests for direct packet access from CGROUP_SKB
2018-10-19 13:49:34 -07:00
bpfilter
net: bpfilter: Set user mode helper's command line
2018-10-22 19:37:36 -07:00
bridge
net: bridge: fix vlan stats use-after-free on destruction
2018-11-17 21:38:44 -08:00
caif
Revert "net: simplify sock_poll_wait"
2018-10-23 10:57:06 -07:00
can
can: raw: check for CAN FD capable netdev in raw_sendmsg()
2018-11-09 17:19:34 +01:00
ceph
libceph: fall back to sendmsg for slab pages
2018-11-19 17:59:47 +01:00
core
net: fix XPS static_key accounting
2018-11-29 11:06:08 -08:00
dcb
net: dcb: Add priority-to-DSCP map getters
2018-07-27 13:17:50 -07:00
dccp
Revert "net: simplify sock_poll_wait"
2018-10-23 10:57:06 -07:00
decnet
decnet: Remove unnecessary check for dev->name
2018-09-21 19:48:36 -07:00
dns_resolver
dns: Allow the dns resolver to retrieve a server set
2018-10-04 09:40:52 -07:00
dsa
net: dsa: Fix tagging attribute location
2018-11-30 17:17:39 -08:00
ethernet
net: Convert GRO SKB handling to list_head.
2018-06-26 11:33:04 +09:00
hsr
ieee802154
net/ipfrag: let ip[6]frag_high_thresh in ns be higher than in init_net
2018-09-21 19:45:52 -07:00
ife
ipv4
tcp: fix SNMP TCP timeout under-estimation
2018-11-30 17:22:41 -08:00
ipv6
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
2018-11-28 11:02:45 -08:00
iucv
Revert "net: simplify sock_poll_wait"
2018-10-23 10:57:06 -07:00
kcm
Revert "kcm: remove any offset before parsing messages"
2018-09-17 18:43:42 -07:00
key
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
2018-07-27 09:33:37 -07:00
l2tp
l2tp: fix a sock refcnt leak in l2tp_tunnel_register
2018-11-14 22:49:31 -08:00
l3mdev
lapb
llc
llc: do not use sk_eat_skb()
2018-10-22 19:59:20 -07:00
mac80211
mac80211: implement ieee80211_tx_rate_update to update rate
2018-10-12 13:05:40 +02:00
mac802154
mac802154: Remove VLA usage of skcipher
2018-09-28 12:46:07 +08:00
mpls
net/mpls: Handle kernel side filtering of route dumps
2018-10-16 00:14:07 -07:00
ncsi
net/ncsi: Add NCSI Broadcom OEM command
2018-10-17 22:14:54 -07:00
netfilter
netfilter: nat: can't use dst_hold on noref dst
2018-12-13 00:58:22 +01:00
netlabel
netlabel: check for IPV4MASK in addrinfo_get
2018-09-21 18:58:34 -07:00
netlink
netlink: Add answer_flags to netlink_callback
2018-10-16 00:13:12 -07:00
netrom
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
nfc
Merge branch 'work.tty-ioctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-10-24 14:43:41 +01:00
nsh
nsh: set mac len based on inner packet
2018-07-12 16:55:29 -07:00
openvswitch
openvswitch: fix spelling mistake "execeeds" -> "exceeds"
2018-11-30 13:18:09 -08:00
packet
packet: copy user buffers before orphan or clone
2018-11-23 11:08:03 -08:00
phonet
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
psample
qrtr
net: qrtr: Reset the node and port ID of broadcast messages
2018-07-05 20:20:03 +09:00
rds
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-10-12 21:38:46 -07:00
rfkill
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-09-04 21:33:03 -07:00
rose
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
rxrpc
rxrpc: Fix life check
2018-11-15 11:35:40 -08:00
sched
net/sched: act_police: fix memory leak in case of invalid control action
2018-11-30 17:14:06 -08:00
sctp
sctp: update frag_point when stream_interleave is set
2018-11-30 13:12:43 -08:00
smc
net/smc: use after free fix in smc_wr_tx_put_slot()
2018-11-21 16:14:56 -08:00
strparser
bpf, sockmap: convert to generic sk_msg interface
2018-10-15 12:23:19 -07:00
sunrpc
NFS client bugfixes for Linux 4.20
2018-11-15 10:59:37 -06:00
switchdev
tipc
tipc: fix lockdep warning during node delete
2018-11-27 16:30:39 -08:00
tls
Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-11-01 19:58:52 -07:00
unix
Revert "net: simplify sock_poll_wait"
2018-10-23 10:57:06 -07:00
vmw_vsock
vsock: split dwork to avoid reinitializations
2018-08-07 12:39:13 -07:00
wimax
wimax: remove blank lines at EOF
2018-07-24 14:10:42 -07:00
wireless
nl80211: Add per peer statistics to compute FCS error rate
2018-10-12 12:56:34 +02:00
x25
net/x25: handle call collisions
2018-11-29 14:25:36 -08:00
xdp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-10-19 11:03:06 -07:00
xfrm
Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2018-11-03 18:25:17 -07:00
compat.c
y2038: socket: Change recvmmsg to use __kernel_timespec
2018-08-29 15:42:24 +02:00
Kconfig
bpf, sockmap: convert to generic sk_msg interface
2018-10-15 12:23:19 -07:00
Makefile
bpfilter: check compiler capability in Kconfig
2018-06-28 13:36:39 +09:00
socket.c
socket: do a generic_file_splice_read when proto_ops has no splice_read
2018-11-17 21:34:11 -08:00
sysctl_net.c